Role to Group Assignments

Dear Portal Gurus,
We are on EP 6.0 SP12.
We have ADS against which we authenticate EP users.
There is a group in ADS called (say) GRP_ESS
We have assigned all ESS users to that group inside ADS.
Now I want to assign the EP role (say) "ESS" to that group and store the group to role assignment itself in ADS.
Pls let me know how to accomplish this.
FYI :
We currently had assigned the EP ROle ESS to the group GRP_ESS in EP.Whenever AD is down,we lose all the role to group assignments.We have only read access to ADS from EP due to company policies.
Pls suggest any better way of accomplishing this.
Thx.
Josh

Hi Josh,
User (or Group) to Role assignments are stored as UM information on the Portal database, not in the LDAP. To my knowledge there's also no way to store these assignments in LDAP instead (it also doesn't really make sense IMHO). Are you sure you lost all the assignments in the case the LDAP (ADS) is not available? The assignments itself can not be lost due to the above fact.
Cheers!
Frodo
p.s. Feel free to award any points if you find this answer helpful.

Similar Messages

Map security roles to group within LDAP using external 3rd Party LDAP

I'm haveing a problem mapping my logical role defined in my web.xml to a role within Active Directory. I'm currently authenticating using Active Directory succsfully, however after the user is authenticated I get a message from the OC4J container that my role can not be found. Can you map a logical role to group within Active Directory? Below are details about my configuration.
Any help would be greatly appreciated.
Log.xml log entry that confirms webtA is communicating successfully with AD.
SG_TEXT>JAAS-LDAPLoginModule: authenticating user wmgraham</MSG_TEXT>
</PAYLOAD>
</MESSAGE>
<MESSAGE>
<HEADER>
</CORRELATION_DATA>
<PAYLOAD>
<MSG_TEXT>JAAS-LDAPLoginModule: DN for user wmgraham is cn=wmgraham,ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi</MSG_TEXT>
</PAYLOAD>
</MESSAGE>
<MESSAGE>
<HEADER>
Error reported in the log
<MESSAGE>
<HEADER>
<TSTZ_ORIGINATING>2008-08-27T11:38:05.991-04:00</TSTZ_ORIGINATING>
<COMPONENT_ID>j2ee</COMPONENT_ID>
<MSG_TYPE TYPE="TRACE"></MSG_TYPE>
<MSG_LEVEL>16</MSG_LEVEL>
<HOST_ID>F2287032-W</HOST_ID>
<HOST_NWADDR>30.30.16.14</HOST_NWADDR>
<MODULE_ID>security</MODULE_ID>
<THREAD_ID>14</THREAD_ID>
<USER_ID>wmgraham</USER_ID>
</HEADER>
<CORRELATION_DATA>
<EXEC_CONTEXT_ID><UNIQUE_ID>30.30.16.14:59560:1219851485804:6</UNIQUE_ID><SEQ>0</SEQ></EXEC_CONTEXT_ID>
</CORRELATION_DATA>
<PAYLOAD>
<MSG_TEXT>for group=[JAZNGroupAdaptor: webta] there's no matching role found.</MSG_TEXT>
</PAYLOAD>
</MESSAGE>
Web.xml Logical Role definition
<security-constraint>
<web-resource-collection>
<web-resource-name>allpages</web-resource-name>
<url-pattern>/servlet/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>WEBTA_J2EE_USER</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>WEBTA_J2EE_USER</role-name>
</security-role>
Orion-web.xml This file maps the logical role defined in webxml to a group within Active Directory.
<security-role-mapping name="WEBTA_J2EE_USER">
<group name="webta"/> <-- Group defined in AD -->
</security-role-mapping>

What is the name of the group in AD (provide the DN) that you want to map the j2ee logical role WEBTA_J2EE_USER? What are the group search base and group mapping attribute?
When wmgraham logs into the app, the 3rd party ldap login module will attempt to query for the groups wmgraham is a member of - this is done using the group search base configuration for the provider.
In this example, the DN is "cn=wmgraham,ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi" and likely user search base is set to "ou=endusers,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi".
Assuming group search base is (say) "ou=groups,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi" and and group mapping attr is "cn", then the role mapping you mention should work for group DN "cn=webta,ou=groups,ou=itod,ou=endusers,ou=div20,ou=hq,dc=fbinet,dc=fbi"

Creation of Portal users and group assignments

Hi, everyone. My company just completed a load of some 2000 E-Business suite users into our new portal and have given them group assignments according to payroll. I had gathered a number of routines into a PL/SQL package in order to do this. These came from several sources in these forums, on Metalink, and other places on the internet. I was wondering if anyone would be interested in having it. A lot of it was rewritten on the fly, and I should probably clean it up a bit, but it would have saved me some time if someone had offered it to me. Is there a good place to post things like this? I'm sure that better ways exist to do some of these things than what I used, and I would be interested in some of the experts' comments.
Anyway, let me know if you are interested.
--Dave

hi Dave,
i am trying to study a problem with group assignments in a proper branch in OID. it would probably be helpful to clear some pieces in this problem from your notes.
would you be kind to send a copy to [email protected]
with kind regards,
AMN

Importing Roles-User Groups Mapping from one Environment to Another

Hi,
I have this situation. I am using WLP8.1 SP4
I have two environments (E1 and E2)and I have 2 MS Active Directory server (MS1 and MS2). The LDAP authenticator in E1 is configured to use MS1 and the LDAP authenticator in E2 is configured to use MS2. The user groups are stored in the Active Directory servers and the role-user groups mappings are done within the Weblogic.
I imported the role-user groups mappings from E1 to E2 and it works. After that, if I map another user group to an existing role and do an import again from E1 to E2, it does not take any effect. Why is it so? Any kind soul can help me? I am very lost now.?:|

Hello! :)
Unfortunately, I'm already using Catalog Manager in transferring files. I'd really like to find out if there is a particular file that defines the permissions of the objects that I should also transfer, or if I should really do that manually for each of the objects?
Thanks for the reply! :)

Clustered role 'Cluster Group' has exceeded its failover threshold.

Hello.
I’m hoping to get some help with a cluster issue I’m having using Windows Storage Server 2012.
When the cluster is created my Cluster Core Resources are all happy and online.
I can more the Cluster Name using “move Core Cluster Resources” between the two nodes without any problems.
If I select ‘Simulate Failure’ on the IP Address resource, it works the first time
If I do it again shortly after it fails and I get an Event ID 1254, 1205 and 1069.
Event ID 1254
Clustered role 'Cluster Group' has exceeded its failover threshold.
It has exhausted the configured number of failover attempts within the failover period of time allotted to it and will be left in a failed state.
No additional attempts will be made to bring the role online or fail it over to another node in the cluster.
Please check the events associated with the failure. After the issues causing the failure are resolved the role can be brought online manually or the cluster may attempt to bring it online again after the restart delay period.
Event ID 1205
The Cluster service failed to bring clustered service or application 'Cluster Group' completely online or offline. One or more resources may be in a failed state. This may impact the availability of the clustered service or application.
Event ID 1069
Cluster resource 'Cluster IP Address' of type 'IP Address' in clustered role 'Cluster Group' failed.
Based on the failure policies for the resource and role, the cluster service may try to bring the resource online on this node or move the group to another node of the cluster and then restart it.
Check the resource and group state using Failover Cluster Manager or the Get-ClusterResource Windows PowerShell cmdlet.
Basically I’m trying to simulate a network failure to make sure the failover kicks in.
If I click on it and ‘Bring Online’ it comes up fine.
Where do I find this Threshold Policy and set it to initiate failover if the IP Address resources fails?
Thank you in advance for your help.

Hi,
The failover threshold is the number of times the group can fail over within the number of hours specified by the failover period. For example, if a group failover threshold is set to "5" and its failover period to "3," the clustering software stops attempting
to bring the group online and leaves the resources within the group in their current state. For example, if the IP Address resource is brought online but the Network Name resource fails, the group is left offline, but the IP Address resource is left online.
To configure thresholds for a resource:
Right-click the cluster resource and then select 'Propereties'
Click 'Advanced'
Select 'Do not restart' if the cluster service should not attempt to restart. Restart is the default
If 'Restart' is selected:
Affect the Group: uncheck to prevent a failure of the selected resource from causing the Server group to failover
Threshold: number of times the cluster service will attempt to restart the resource, and period is the amount of time in seconds between retries
Do not modify the 'LooksAlive' and 'IsAlive' settings
Unless necessary, do not alter the 'Pending Timeout'. This is the amount of time the resource is either in the online or pending or offline pending states before the the cluster service puts it in either offline or failed state
For more information please refer to following MS articles:
Windows Failover Clustering Overview
http://blogs.technet.com/b/rob/archive/2008/05/07/failover-clustering.aspx
Tuning Failover Cluster Network Thresholds
http://blogs.msdn.com/b/clustering/archive/2012/11/21/10370765.aspx
Failover cluster (group) maximum failures limit
http://blogs.msdn.com/b/arvindsh/archive/2012/03/09/failover-cluster-group-maximum-failures-limit.aspx
Lawrence
TechNet Community Support

Role and groups ?

What is the difference between roles and groups in Identity Server

The main difference between roles and groups in Identity Server 5.1 is that you cannot assign policy to groups, only to roles.
Roles in Identity Server are used to define management permission via ACIs and to allow attribute inheritance via CoS and roles.

Table for Role & Authorization group

Hi Gurus,
I am looking for a table or FM to get all roles for Authorization group.
I tried in SUIM tcode but could not able to find exact DB table for these.
Giri
P.S.: To Moderator:
My earlier thread was locked for the same question, I was searching in SDN and google from last 3 days and could not able to find enough information on it. AGR_USERS, TBRG, TACT are the tables i found. But still there is a link missed between Role & Authorization Group.

Thomas,
My report have selection screen with Auth group and user.
If user provides Auth. Group then need to find all roles linked to auth group and users assigned to that role.
In my investigation, there is link between Auth. Group <--> Auth. object.
Also Auth. Object <--> Role.
but still there is a fine link missing between Auth Group <--> Role.
For Eg: Auth Object S_TABU_DIS will be associated to all Auth. Groups but assigned to only limited roles.
I tried to debug the SUIM transaction multiple times but couldn't find the tables to find the link and not able to find the FM's.
if anybody have any idea to find that link between Auth. Group & Role then it will be helpful....
Giri

Transporting role with user assignments

Hi Guru's,
When we transport a role with user assignments then in the target system, the role will wipe out all the existing assignment and show the the users in the original released request.
eg. D->Q
In dev:
role-A has userA, userB
In Qas;
Role-A has UserA and userC
......after import of request:
the roleA will have userA and userB
What I have noticed is even if userB does not exist in Qas, the assignment will be reflected in AGR_USERS. A PFUD or user compare in a role does not remove the ghost entries. Is there any way to remove these inconsistencies ?
I saw note 534010, which is applicable for UST04.
Thank you
Abhishek

Hi Matt,
Yes, I do agree this is not a best practice. However, for a particular requirement, we thought this was the best way to solve the problem. Infact, this was the first time I ever did this
We have a role that needs to ONLY be assigned to every person in a particular team. With more than 30 systems present( out of the production landscape, just the testing systems), we thought this would be the only fast way out than going in each system and assigning this role. This would also ensure unassignment of this role to any other person too
Any other alternative?
Thank you
Abhishek

Role & authorization group

Hi guys,
is there any table or FM which gives the link between Role & Authorization group?
Thanks
Giri
Moderator message: please try finding this yourself before asking others.
Edited by: Thomas Zloch on Nov 9, 2010 9:48 PM

Thanks Soumyaprakash,
I am developing a report on this to know for which users have the roles and authorization groups assigned to it.
i need a DB table name or FM to get the link between Role and Authorizaion group.
Giri

Assigning Roles to Groups

Hi there,
i am a newbie to SAP and have some questions to Usermanagement in Web AS ABAP.
Is it, like in Web As Java, possible to assign roles to groups?
And could one user be in several groups?
Or is it possible to sssign groups to groups?
I want to assign a group to each role and then not changing the assignment of user to role but instead change the assignment of user to groups.
Thanks for your answers,
stefan

Hi Stefan,
Ques:1)Is it, like in Web As Java, possible to assign roles to groups?
Ans:You cannot assign roles to a group.
Ques:2) And could one user be in several groups?
Ans: Yes you can assign user to multiple groups.
User Management -> Group - > Assign User to a group.
Ques:3)Or is it possible to sssign groups to groups?
Ans: Yes, this is also possible. Just go to User Administration on portal and then Groups. There you will find a icon group to another group.
User Management -> Group - > Assign group to a group.
I think this will help to solve your problem..
Regards
Pravesh
Sorry!! I really misunderstood the problem. So I am editing the wrong part of my answer.
Message was edited by: Pravesh Verma

WEB UI account creation with role and grouping

Hi All,
I can create account in SalesPro->Account Management-> Account - New
I don't have an option of selecting BP Role or Grouping for number range...
Should i be using any other WEBUI Role in order to create Account with an option of BP Role and Grouping
Thanks
Amish

Hello there,
The BP Role which will be used and even the number ranges are generally not used for Web UI usage. Instead we provide different configurations of the same Account Creation view based on the Component Usage and three different keys.
The functionality you are looking for can be achieved by creating different configurations.
To create different configurations of the same view in Web UI please search on the below link :
[http://wiki.sdn.sap.com/wiki/display/CRM/CRMWebClientUIFramework|http://wiki.sdn.sap.com/wiki/display/CRM/CRMWebClientUIFramework]
Please reply if this helps.
Best regards,
Vinamra.

Copy SQ01 User Group Assignments During New User Creation

When creating a new user (copy-from method), can the SQ03 user group assignments also be copied at this time or must this be maintianed separately?

Hi, As far as I am aware it is separate.

Get inf. about user, rol and group, which shows and works on my webdynpro ?

Hi everybody,
Can someone help me? I need the information about rol and group of the user, who's show and work on my webdynpro?

Hi,
You can use the below code to get the information you need. You need to add the jar file com.sap.security.api.jar to your Web Dynpro project's build path.
     IRoleFactory roleFactory= UMFactory.getRoleFactory();
    IGroupFactory groupFactory = UMFactory.getGroupFactory();
    try
     IWDClientUser wdUser = WDClientUser.getCurrentUser();
     IUser user = wdUser.getSAPUser();
     Iterator assignedRoles = user.getRoles(true); // true means all the roles are searched recursively
     Iterator assignedGroups = user.getParentGroups(true); // true means all the groups are searched recursively
     while(assignedRoles.hasNext())
          String roleID = (String)assignedRoles.next();
          IRole role = roleFactory.getRole(roleID);
          String roleName = role.getUniqueName();
     // Fill your model node with the role
     while(assignedGroups.hasNext())
          String groupID = (String)assignedGroups.next();
          IGroup group = groupFactory.getGroup(groupID);
          String groupName = group.getUniqueName();
     // fill your model node with group.
    catch(Exception ex)
         messageManager.reportException(ex.getLocalizedMessage(),false);

Whant is the difference between role and group?

in fact. a group means the a special role that have no any assigned functions

Hi Kang
The difference betwen Roles and Groups:
Roles
Roles are the largest semantic unit within the content objects. A role is a folder hierarchy comprising other content objects (worksets, pages, iViews). The contents of a role are based on the company structure and information requirements of the users of a company. Roles are assigned to users. This means that users can only access the content that is relevant for them if they have the appropriate role.
Groups
Groups contain users falling under the same catagory. For example let's say that you have a set of roles, role x and role y. You have to assign role x to users of type a (let these be users who can only view your portal and cannot make changes) and role y to users of type b (let these users be administrators). Then you can add the users of type a to a group and assign the role x to them. Similarly you can add the users of type b to another group and assign the role y to them. This rids you of the task of having to assign the two roles to each user type individually.
Hope you got the difference now.
Warm Regards
Priya

Hi,report like roles with groups display?

i am having roles /groups like following
String arrRoles = {"devloper","admin","manager","clerk","other"};
String arrGroups={"grp1","grp2","grp3","grp4","grp5","grp6"};
each groups having separate access
grp1 roles manager,developer
grp2 roles manager,clerk,other
grp3 roles clerk,admin
grp4 roles other
grp5 roles manager,develoepr,admin,clerk,other
grp6 roles clerk,other
finally after reading two array values and each group roles ,
i need to values in report like this
report
role grp1 grp2 grp3 grp4 grp5 grp6
devloper yes no no no yes no
admin no no yes no yes no
manager yes yes no no yes no
clerk no yes yes no yes yes
other no yes no yes yes yes
i need to display values if the group having role need to display
yes otherwise no.
can any one help me how to do and display
here roles and groups are not fixed values both are dynamicaly
created arry objects
thanks in addvance
sai

hi,
thanks for your example.
any way i solved this issue my self another way.
class Report3Test
 public static void main(String str[])
 String[] arrRoles = {"develop","admin","manager","clerk","other"};
 String[] arrGroups = {"grp1","grp2","grp3","grp4","grp5","grp6"};
 String arGrp1[] ={"manager","develop"};
 String arGrp2[] ={"manager","clerk","other"};
 String arGrp3[] ={"clerk","admin"};
 String arGrp4[] ={"other"};
 String arGrp5[] ={"manager","develop","admin","clerk","other"};
 String arGrp6[] ={"clerk","other"};
 String DELIMINATOR = "\t";
 String strGroups = "";
 strGroups = "Roles"+DELIMINATOR;
 for(int i =0; i<arrGroups.length;i++)
 strGroups = strGroups+arrGroups[i]+DELIMINATOR;
 System.out.println(strGroups);
 for(int i =0; i<arrRoles.length;i++)
 String groupStatus1 = "No";
 String groupStatus2 = "No";
 String groupStatus3 = "No";
 String groupStatus4 = "No";
 String groupStatus5 = "No";
 String groupStatus6 = "No";
 for ( int k =0; k<arGrp1.length;k++)
 if(arGrp1[k].equals(arrRoles))
 groupStatus1 = "Yes";
 for ( int k =0; k<arGrp2.length;k++)
 if(arGrp2[k].equals(arrRoles[i]))
 groupStatus2 = "Yes";
 for ( int k =0; k<arGrp3.length;k++)
 if(arGrp3[k].equals(arrRoles[i]))
 groupStatus3 = "Yes";
 for ( int k =0; k<arGrp4.length;k++)
 if(arGrp4[k].equals(arrRoles[i]))
 groupStatus4 = "Yes";
 for ( int k =0; k<arGrp5.length;k++)
 if(arGrp5[k].equals(arrRoles[i]))
 groupStatus5 = "Yes";
 for ( int k =0; k<arGrp6.length;k++)
 if(arGrp6[k].equals(arrRoles[i]))
 groupStatus6 = "Yes";
 String roleParam = (String)arrRoles[i];
 System.out.println(roleParam+DELIMINATOR+groupStatus1+DELIMINATOR+groupStatus2+DELIMINATOR+groupStatus3+DELIMINATOR+groupStatus4+DELIMINATOR+groupStatus5+DELIMINATOR+groupStatus6);
===================
sai

Role to Group Assignments

Similar Messages

Maybe you are looking for